Published by Mijingo

movie icon image

EE Insider Blog

Spend your time learning and developing sites with ExpressionEngine and we'll use this blog to keep you informed of all the news related to ExpressionEngine and CodeIgniter.

» Read more in the Archives.

» Have a tip? Send us your EE news.

Learn ExpressionEngine Today

Over a series of 8 videos, watch and learn as Ryan builds an entire ExpressionEngine website from beginning to end. Get started now.

EU Cookie Legislation and ExpressionEngine

In 80 days the new EU legislation on web browser cookies grace period will end in the UK. As of May 26, 2012 “if you are not compliant or visibly working towards compliance, you run the risk of enforcement action, which can include a fine of up to half a million pounds for a serious breach.” (via EU Cookie Law Explained)

In short, you need to get consent from your website visitors to store cookies on their computer. From The Cookie Collective:

It has been designed to protect online privacy, by making consumers aware of how information about them is collected by websites, and enable them to choose whether or not they want to allow it to take place.

It started as an EU Directive that was adopted by all EU countries on May 26th 2011. At the same time the UK updated its Privacy and Electronic Communications Regulations, which brought the EU Directive it into UK law.

Each EU member state has done or is doing the same thing. Although they all have their own approach and interpretation, the basic requirements of the directive remain the same.

EE developer Andy Marshall (you might know him as “moogaloo”) wrote about this on his blog and the implications it has for users of ExpressionEngine.

The law requires all non-essential cookies not be dropped until the user explicitly opts in. The definition of non-essential seems pretty vague - some people see eCommerce cart cookies as essential and therefore exempt from the laws, but I’m not sure if that’s been categorically confirmed. And what about ones that are hard coded into a CMS that, whilst largely benign, would be hard to argue are essential to the site’s functionality.

ExpressionEngine - our CMS of choice - for example uses 3 cookies to track a users recent activity, last visit and general site movements. None of these record a person’s email, name or other identifiable details, merely their browser session on your site, but are all non-essential to the site.

I do not live in the EU and I am not an expert on this law but it seems like is a lot of gray area here in how the law requirements are interpreted.

So, what is going to happen to sites running ExpressionEngine? I don’t know but hopefully everyone will be able to comply before the May deadline. In another blog post today, Andy Marshall again covers the topic of the legislation and EE. He wonders what EllisLab is doing about it (if anything).

The problem is, ExpressionEngine uses 3 cookies by default and they can’t be turned off. They don’t do anything that concerns me, but the fact they can’t be removed from the core EE installation does. By using an ExpressionEngine site, I am now making a site uncompliant with a very real law that will require sites to run without non-essential cookies.

Andy called on EllisLab to address this problem. In the comments Steven Grant linked to a EE support thread that shows that EllisLab is aware of the problem and, as of the last update in January, plan to work on the issue and address it so everyone who in affected by the EU leglisation can comply. Robin Sowell, a software engineer at EllisLab replied:

We’ve reached the discussion stage on it- it was already on our radar. We haven’t started coding on it, and our plans aren’t currently firmed up, but we do know the deadline is looming. But yes- we do intend to give our users a way to comply with the cookie requirement. At least on the frontend, EE will need to be able to run cookie free, and I’m thinking some posts on different ways to honor the requirement will likely be needed as well. And yes- right now, there’s no way to totally disable cookie setting.

Hopefully in the next 80 days we’ll have more updates about the progress EllisLab is making on making the frontend of EE cookie free.

Posted on Mar 05, 2012 by Ryan Irelan

Filed Under: ExpressionEngine 2, Life as a Web Professional

Mark Croxton16:49 on 03.06.2012

This looks likes a good approach. It’s aiming to become the standard widget for cookie opt-in: http://www.civicuk.com/cookie-law/

Strictly speaking though this approach with EE would only be truly legitimate if EE cookies are set when the user grants consent and not before. So it would require a cookie-less EE to be functional.

My view is that EE cookies qualify as essential and you only need permission for cross-site tracking and analytics cookies. Of course, IANAL.

Brett17:07 on 03.12.2012

I would *love* for EllisLab to address this in a very-near-future release. That EE sets persistent cookies is a show-stopper for most U.S. government websites. For the one USG website I manage with EE, I hack a core file after every upgrade to change the persistent cookie to a session cookie.

Wolf Software13:36 on 04.12.2012

You could take a look at the options from Wolf Software

http://cookies.dev.wolf-software.com - This is a GA specific drop in solution.

http://jpecr.dev.wolf-software.com - This is a more universal solution

Jeff11:40 on 05.07.2012

Hi Brett,

Do you mind showing your hack? I desperately need to “fix” this for one client and I’m getting nervous that EE 2.5 won’t arrive in time…